Group export and basic rules (#87)

* Add Azure DevOps groups export
* Add 3 rules for groups

Author: webtonize

README.md

@@ -180,6 +180,9 @@ in building the ruleset for this module.
 
 ### Implemented rules
 
+- [Azure.DevOps.Groups.ProjectAdmins.MinMembers](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MinMembers.md)
+- [Azure.DevOps.Groups.ProjectAdmins.MaxMembers](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md)
+- [Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md)
 - [Azure.DevOps.Pipelines.Core.InheritedPermissions](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.InheritedPermissions.md)
 - [Azure.DevOps.Pipelines.Core.NoPlainTextSecrets](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.NoPlainTextSecrets.md)
 - [Azure.DevOps.Pipelines.Core.UseYamlDefinition](./src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Pipelines.Core.UseYamlDefinition.md)

docs/token-permissions.md

@@ -81,7 +81,7 @@ The following table lists the token scopes that are required for each command.
 
 | Rule Function                             | API(s)                                   | Version       | Method | Scope(s)                | PAT Category        | PAT Name        |
 |-------------------------------------------|------------------------------------------|---------------|--------|-------------------------|---------------------|-----------------|
-| Get-AzDevOpsProjects                      | projects                                 | 6.0           | GET    | vso.profile             | User Profile        | Read            |
+| Get-AzDevOpsProject                      | projects                                 | 6.0           | GET    | vso.profile             | User Profile        | Read            |
 |                                           |                                          |               |        | vso.project             | Project and Team    | Read            |
 | Get-AzDevOpsPipelines                     | pipelines                                | 6.0-preview.1 | GET    | vso.build               | Build               | Read            |
 |                                           | pipelines/{pipelineid}                   | 6.0-preview.1 | GET    | vso.build               | Build               | Read            |

example/best-practice/ps-rule.yaml

@@ -0,0 +1,13 @@
+execution:
+  inconclusiveWarning: false
+  notProcessedWarning: false
+  suppressedRuleWarning: false
+  suppressionGroupExpired: Error
+
+configuration:
+  ProjectAdminsMinMembers: 2
+  ProjectAdminsMaxMembers: 4
+  releaseMinimumProductionApproverCount: 1
+  branchMinimumApproverCount: 1
+  ghasEnabled: true
+  ghasBlockPushesEnabled: true

src/PSRule.Rules.AzureDevOps/Functions/Common.ps1

@@ -58,6 +58,7 @@ Function Connect-AzDevOps {
         [Parameter(ParameterSetName = 'ServicePrincipal', Mandatory=$true)]
         [string]
         $TenantId,
+        [Parameter()]
         [ValidateSet('PAT', 'ServicePrincipal', 'ManagedIdentity')]
         [string]
         $AuthType = 'PAT',
@@ -96,6 +97,7 @@ Function Disconnect-AzDevOps {
     [CmdletBinding()]
     param ()
     Clear-Variable connection -Scope Script -ErrorAction SilentlyContinue
+    Remove-Variable connection -Scope Script -ErrorAction SilentlyContinue
     $script:connection = ""
     $script:connection = $null
 }
@@ -109,19 +111,26 @@ Function Disconnect-AzDevOps {
     Get all Azure DevOps projects for an organization using Azure DevOps Rest API
 
     .EXAMPLE
-    Get-AzDevOpsProjects
+    Get-AzDevOpsProject
 #>
-function Get-AzDevOpsProjects {
+function Get-AzDevOpsProject {
     [CmdletBinding()]
-    [OutputType([System.Object[]])]
-    param ()
+    param (
+        [Parameter()]
+        [string]
+        $Project = ""
+    )
     if ($null -eq $script:connection) {
         throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
     }
     $header = $script:connection.GetHeader()
     $Organization = $script:connection.Organization
     Write-Verbose "Getting projects for organization $Organization"
-    $uri = "https://dev.azure.com/$Organization/_apis/projects?api-version=6.0"
+    if([string]::IsNullOrEmpty($Project) -eq $false) {
+        $uri = "https://dev.azure.com/$Organization/_apis/projects/$($Project)?api-version=7.2-preview.4"
+    } else {
+        $uri = "https://dev.azure.com/$Organization/_apis/projects?api-version=7.2-preview.4"
+    }
     Write-Verbose "URI: $uri"
     try {
         $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
@@ -131,9 +140,12 @@ function Get-AzDevOpsProjects {
         }
     }
     catch {
-        Write-Error "Failed to get projects from Azure DevOps"
+        throw "Failed to get projects from Azure DevOps"
+    }
+    if($response.value) {
+        return $response.value
+    } else {
+        return $response
     }
-    $projects = $response.value
-    return @($projects)
 }
-# End of Function Get-AzDevOpsProjects
+# End of Function Get-AzDevOpsProject

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Groups.ps1

@@ -0,0 +1,163 @@
+<#
+    .SYNOPSIS
+    Get a list of groups from Azure DevOps
+
+    .DESCRIPTION
+    Get a list of groups from Azure DevOps for the specified organization and project using the Azure DevOps Rest API
+
+    .PARAMETER Project
+    The name of the project to get groups for
+
+    .EXAMPLE
+    Get-AzDevOpsGroups -Project 'MyProject'
+
+    .NOTES
+    This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information.
+#>
+Function Get-AzDevOpsGroups {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]
+        $Project
+    )
+    if($null -eq $script:connection) {
+        throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+    }
+    # Get project id
+    try {
+        $projectResult = Get-AzDevOpsProject -Project $Project
+    }
+    catch {
+        throw "Failed to get project details from Azure DevOps"
+    }
+    $header = $script:connection.GetHeader()
+    $Organization = $script:connection.Organization
+    # Set the scope descriptor REST API endpoint
+    $uri = "https://vssps.dev.azure.com/$($Organization)/_apis/graph/descriptors/$($projectResult.id)?api-version=7.2-preview.1"
+    $scopeDescriptor = (Invoke-RestMethod -Uri $uri -Method Get -Headers $header).value
+    $uri = "https://vssps.dev.azure.com/$($Organization)/_apis/graph/groups?scopeDescriptor=$scopeDescriptor&api-version=7.2-preview.1"
+    $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
+    return $response.value
+}
+Export-ModuleMember -Function Get-AzDevOpsGroups
+# End of Function Get-AzDevOpsGroups
+
+<#
+    .SYNOPSIS
+    Get details for a group from Azure DevOps
+
+    .DESCRIPTION
+    Get details for a group from Azure DevOps for the specified group object using the Azure DevOps Rest API
+
+    .PARAMETER Group
+    The group object to get details for
+
+    .EXAMPLE
+    $group = (Get-AzDevOpsGroups -Project 'MyProject')[0]
+    Get-AzDevOpsGroupDetails -Group $group
+
+    .NOTES
+    This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information.
+#>
+Function Get-AzDevOpsGroupDetails {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [object]
+        $Group
+    )
+    if($null -eq $script:connection) {
+        throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+    }
+    $header = $script:connection.GetHeader()
+    $result = $Group
+
+    # Get detail for which group this group is a member of
+    $memberShipUri = $Group._links.memberships.href
+    try {
+        $membershipResult = (Invoke-RestMethod -Uri $memberShipUri -Method Get -Headers $header).value
+        if($membershipResult -is [string] -or $null -eq $membershipResult) {
+            throw "Authentication failed or organization not found"
+        }
+    }
+    catch {
+        throw "Failed to get group memberOf details from Azure DevOps"
+    }
+    # Get the self information for each membership
+    $memberships = @()
+    foreach($item in $membershipResult) {
+        $itemUri = $item._links.container.href
+        $itemResult = (Invoke-RestMethod -Uri $itemUri -Method Get -Headers $header)
+        $memberships += $itemResult
+    }
+    $result | Add-Member -MemberType NoteProperty -Name MemberOf -Value $memberships -Force
+
+    # Get all members of this group
+    $memberUri = "$($Group._links.memberships.href)?direction=down&api-version=7.2-preview.1"
+    $memberResult = (Invoke-RestMethod -Uri $memberUri -Method Get -Headers $header).value
+    
+    # Get the self information for each member
+    $members = @()
+    foreach($item in $memberResult) {
+        $itemUri = $item._links.member.href
+        $itemResult = (Invoke-RestMethod -Uri $itemUri -Method Get -Headers $header)
+        $members += $itemResult
+    }
+    $result | Add-Member -MemberType NoteProperty -Name Members -Value $members -Force
+    return $result
+}
+Export-ModuleMember -Function Get-AzDevOpsGroupDetails
+
+<#
+    .SYNOPSIS
+    Export all groups from Azure DevOps for a project to a JSON file
+
+    .DESCRIPTION
+    Export all groups from Azure DevOps for a project to a JSON file
+
+    .PARAMETER Project
+    The name of the project to get groups for
+
+    .PARAMETER OutputPath
+    The folder path to the JSON file to export to
+
+    .EXAMPLE
+    Export-AzDevOpsGroups -Project 'MyProject' -OutputPath 'C:\Temp\'
+
+    .NOTES
+    This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information.
+#>
+Function Export-AzDevOpsGroups {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]
+        $Project,
+        [Parameter(Mandatory=$true)]
+        [string]
+        $OutputPath
+    )
+    if($null -eq $script:connection) {
+        throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+    }
+    try {
+        $groups = Get-AzDevOpsGroups -Project $Project
+    }
+    catch {
+        throw "Failed to get groups from Azure DevOps"
+    }
+    $groupDetails = @()
+    foreach($group in $groups) {
+        $thisGroup = Get-AzDevOpsGroupDetails -Group $group
+        # Add an ObjectType property to the group object
+        $thisGroup | Add-Member -MemberType NoteProperty -Name ObjectType -Value 'Azure.DevOps.Group' -Force
+        # Add the group name to the group object as an ObjectName property with a convention of Organization.Project.GroupName
+        $thisGroup | Add-Member -MemberType NoteProperty -Name ObjectName -Value "$($script:connection.Organization).$($Project).$($group.displayName)" -Force
+
+        $groupDetails += $thisGroup
+    }
+    $groupDetails | ConvertTo-Json -Depth 100 | Out-File -FilePath "$OutputPath\groups.ado.json"
+}
+Export-ModuleMember -Function Export-AzDevOpsGroups
+# End of Function Export-AzDevOpsGroups

src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psm1

@@ -40,13 +40,23 @@ Function Export-AzDevOpsRuleData {
         [string]
         $OutputPath
     )
+    Write-Verbose "Exporting rule data for project $Project to $OutputPath"
+    Write-Verbose "Exporting repos and branch policies"
     Export-AzDevOpsReposAndBranchPolicies -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting environment checks"
     Export-AzDevOpsEnvironmentChecks -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting service connections"
     Export-AzDevOpsServiceConnections -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting pipelines"
     Export-AzDevOpsPipelines -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting pipelines settings"
     Export-AzDevOpsPipelinesSettings -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting variable groups"
     Export-AzDevOpsVariableGroups -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting release definitions"
     Export-AzDevOpsReleaseDefinitions -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting groups"
+    Export-AzDevOpsGroups -Project $Project -OutputPath $OutputPath
 }
 Export-ModuleMember -Function Export-AzDevOpsRuleData -Alias Export-AzDevOpsProjectRuleData
 # End of Function Export-AzDevOpsRuleData
@@ -71,7 +81,7 @@ Function Export-AzDevOpsOrganizationRuleData {
         [string]
         $OutputPath
     )
-    $projects = Get-AzDevOpsProjects
+    $projects = Get-AzDevOpsProject
     $projects | ForEach-Object {
         $project = $_
         # Create a subfolder for each project
@@ -85,7 +95,7 @@ Function Export-AzDevOpsOrganizationRuleData {
 Export-ModuleMember -Function Export-AzDevOpsOrganizationRuleData
 # End of Function Export-AzDevOpsOrganizationRuleData
 
-Export-ModuleMember -Function Get-AzDevOpsProjects
+Export-ModuleMember -Function Get-AzDevOpsProject
 Export-ModuleMember -Function Connect-AzDevOps
 Export-ModuleMember -Function Disconnect-AzDevOps
 

src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md

@@ -0,0 +1,27 @@
+---
+category: Microsoft Azure DevOps Pipelines
+severity: Severe
+online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MaxMembers.md
+---
+
+# Azure.DevOps.Groups.ProjectAdmins.MinMembers
+
+## SYNOPSIS
+
+The project administrators group should have at most 4 members.
+
+## DESCRIPTION
+
+The project administrators group should have at most 4 members. This ensures that there is not too many people who can manage the project. This rule applies to the default project administrators group.
+
+Mininum TokenType: `ReadOnly`
+
+This setting is configurable and can be changed to suit your organization's needs with `ProjectAdminsMaxMembers` in the `configuration` section of your ps-rule.yaml file.
+
+## RECOMMENDATION
+
+Consider removing members from the project administrators group.
+
+## LINKS
+
+- [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks)

src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MinMembers.md

@@ -0,0 +1,28 @@
+---
+category: Microsoft Azure DevOps Pipelines
+severity: Severe
+online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectAdmins.MinMembers.md
+---
+
+# Azure.DevOps.Groups.ProjectAdmins.MinMembers
+
+## SYNOPSIS
+
+The project administrators group should have at least 2 members.
+
+## DESCRIPTION
+
+The project administrators group should have at least 2 members. This ensures that there is more than one person who can manage the project. This rule applies to the default project administrators group.
+
+
+Mininum TokenType: `ReadOnly`
+
+This setting is configurable and can be changed to suit your organization's needs with `ProjectAdminsMinMembers` in the `configuration` section of your ps-rule.yaml file.
+
+## RECOMMENDATION
+
+Consider adding more than one member to the project administrators group.
+
+## LINKS
+
+- [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks)

src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md

@@ -0,0 +1,27 @@
+---
+category: Microsoft Azure DevOps Pipelines
+severity: Severe
+online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups.md
+---
+
+# Azure.DevOps.Groups.ProjectValidUsers.DoNotAssignMemberOfOtherGroups
+
+## SYNOPSIS
+
+The project valid users group should not be a member of any other group.
+
+## DESCRIPTION
+
+The project valid users group is the minimum permissions level group for a
+project. This group should not be a member of any other group. This rule applies
+to the default project valid users group.
+
+Mininum TokenType: `ReadOnly`
+
+## RECOMMENDATION
+
+Consider removing the project valid users group from any other groups.
+
+## LINKS
+
+- [Azure DevOps Security best practices - Tasks](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#tasks)